kaniko
kaniko copied to clipboard
GoogleContainerTools
Kaniko ADD instruction not preserve permissions via chmod argument
Actual behavior ADD Dockerfile instruction not preserve permissions with chmod argument usage.
Expected behavior ADD Dockerfile instruction with chmod argument preserve permissions
To Reproduce Steps to reproduce the behavior:
- Build Dockerfile:
FROM alpine:latest
ADD --chmod=0755 https://github.com/GoogleContainerTools/kaniko/blob/main/benchmark.sh /usr/local/bin
# Check permissions
RUN ls -al /usr/local/bin/
- Get output:
/workspace # executor -c . --no-push
INFO[0000] Retrieving image manifest alpine:latest
INFO[0000] Retrieving image alpine:latest from registry index.docker.io
INFO[0022] Built cross stage deps: map[]
INFO[0022] Retrieving image manifest alpine:latest
INFO[0022] Returning cached image manifest
INFO[0022] Executing 0 build triggers
INFO[0022] Building stage 'alpine:latest' [idx: '0', base-idx: '-1']
INFO[0022] Unpacking rootfs as cmd ADD --chmod=0755 https://github.com/GoogleContainerTools/kaniko/blob/main/benchmark.sh /usr/local/bin requires it.
INFO[0027] Using files from context: []
INFO[0027] ADD --chmod=0755 https://github.com/GoogleContainerTools/kaniko/blob/main/benchmark.sh /usr/local/bin
INFO[0027] Adding remote URL https://github.com/GoogleContainerTools/kaniko/blob/main/benchmark.sh to /usr/local/bin/benchmark.sh
INFO[0033] Taking snapshot of files...
INFO[0033] RUN ls -al /usr/local/bin/
INFO[0033] Initializing snapshotter ...
INFO[0033] Taking snapshot of full filesystem...
INFO[0033] Cmd: /bin/sh
INFO[0033] Args: [-c ls -al /usr/local/bin/]
INFO[0033] Running: [/bin/sh -c ls -al /usr/local/bin/]
total 124
drwxr-xr-x 1 root root 24 Nov 13 13:56 .
drwxr-xr-x 1 root root 22 Nov 13 13:56 ..
-rw------- 1 root root 126793 Nov 13 13:56 benchmark.sh
INFO[0033] Taking snapshot of full filesystem...
INFO[0033] No files were changed, appending empty layer to config. No layer added to image.
INFO[0033] Skipping push to container registry due to --no-push flag
- File have permissions 0600, but must have 0755
Additional Information
- Dockerfile
FROM alpine:latest
ADD --chmod=0755 https://github.com/GoogleContainerTools/kaniko/blob/main/benchmark.sh /usr/local/bin
RUN ls -al /usr/local/bin/
- Build Context Directory with Dockerfile above only File from ADD instruction - https://github.com/GoogleContainerTools/kaniko/blob/main/benchmark.sh
- Kaniko Image gcr.io/kaniko-project/executor:v1.18.0-debug
- I not see any chmod operations and set permissions, only chown operation in source file https://github.com/GoogleContainerTools/kaniko/blob/main/pkg/commands/add.go
Triage Notes for the Maintainers
| Description | Yes/No |
|---|---|
| Please check if this a new feature you are proposing |
|
| Please check if the build works in docker but not in kaniko |
|
Please check if this error is seen when you use --cache flag |
|
| Please check if your dockerfile is a multistage dockerfile |
|
Hello, as i see, this is not a feature-request, this is a hardcore bug. @JeromeJu, why you reassign bug report as a feature-request ?
thanks
Hello, as i see, this is not a feature-request, this is a hardcore bug. @JeromeJu, why you reassign bug report as a feature-request ?
thanks
Thanks for catching this. This is essentially a /kind/bug. Updated.
Yeah, I ran into this using COPY yesterday.
On Thu, 16 Nov 2023, 02:40 robross0606, @.***> wrote:
Does this also affect COPY commands?
— Reply to this email directly, view it on GitHub https://github.com/GoogleContainerTools/kaniko/issues/2850#issuecomment-1813067848, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABIKCVKQETZNWPHXWNZSXI3YEUEC3AVCNFSM6AAAAAA7JHIJMGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJTGA3DOOBUHA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
@robross0606, yes.
Kaniko output:
wget https://github.com/GoogleContainerTools/kaniko/blob/main/run_in_docker.sh
ls -al run_in_docker.sh
-rw-r--r-- 1 1000 1000 12837 ноя 16 10:31 run_in_docker.sh
/workspace executor --no-push
INFO[0000] Retrieving image manifest ubuntu:latest
INFO[0000] Retrieving image ubuntu:latest from registry index.docker.io
INFO[0021] Built cross stage deps: map[]
INFO[0021] Retrieving image manifest ubuntu:latest
INFO[0021] Returning cached image manifest
INFO[0021] Executing 0 build triggers
INFO[0021] Building stage 'ubuntu:latest' [idx: '0', base-idx: '-1']
INFO[0021] Unpacking rootfs as cmd COPY --chmod=0755 run_in_docker.sh /usr/local/bin requires it.
INFO[0028] COPY --chmod=0755 run_in_docker.sh /usr/local/bin
INFO[0028] Taking snapshot of files...
INFO[0028] RUN ls -al /usr/local/bin
INFO[0028] Initializing snapshotter ...
INFO[0028] Taking snapshot of full filesystem...
INFO[0028] Cmd: /bin/sh
INFO[0028] Args: [-c ls -al /usr/local/bin]
INFO[0028] Running: [/bin/sh -c ls -al /usr/local/bin]
total 16
drwxr-xr-x 1 root root 32 Nov 16 07:34 .
drwxr-xr-x 1 root root 72 Nov 16 07:34 ..
-rw-r--r-- 1 1000 1000 12837 Nov 16 07:34 run_in_docker.sh
Dockerfile
FROM ubuntu:latest
COPY --chmod=0755 run_in_docker.sh /usr/local/bin
RUN ls -al /usr/local/bin
Issue #1751 is a feature request to add the --chmod arg to the COPY command. Is this issue actually a feature request?
I've encountered this bug as well, and I've found a helpful workaround to address it:
When making changes to permissions within a directory, such as using chmod or chown, ensure that these operations are the last steps performed in that directory.
E.g. if your Dockerfile initially looks like this:
FROM alpine:latest
RUN chown nobody: /opt
COPY file.test /opt/file.test
Change it to this, so the last operation that is performed in the directory is chown:
FROM alpine:latest
COPY file.test /opt/file.test
RUN chown nobody: /opt
While not an ideal solution, this workaround proves effective in managing the issue until the root cause is resolved, considering that there are several open issues currently related to this.
